LiveActive security incident?Get immediate response
CVE Record

CVE-2014-9195: Phoenix Contact Software ProConOs and MultiProg Missing Authentication for Critical Function

Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.

CriticalCVSS 10Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

This flaw means some Phoenix Contact control software can accept powerful remote commands without proving who sent them. In business terms, exposed systems could let an attacker take control of affected industrial automation functions. The source bundle rates it critical with maximum CVSS v2 impact.

Executive priority

Prioritize this for any industrial site using Phoenix Contact automation software. The issue combines remote reachability, no authentication, and full confidentiality, integrity, and availability impact. Business urgency depends on whether affected systems are reachable beyond tightly controlled engineering networks.

Technical view

CVE-2014-9195 is CWE-306: missing authentication for a critical function in Phoenix Contact ProConOs and MultiProg. Sources say remote attackers can execute arbitrary commands using protocol-compliant traffic. The CVSS v2 vector is AV:N/AC:L/Au:N/C:C/I:C/A:C, score 10.0.

Likely exposure

Exposure is most likely where ProConOs or MultiProg is reachable over a network, especially from untrusted IT networks, remote access paths, or flat OT segments. The bundle lists all versions for both products, but does not provide detailed deployment conditions.

Exploitation context

The bundle includes an Exploit-DB reference, so public exploit information exists. It does not cite CISA KEV listing or confirm active exploitation. Treat internet-reachable or weakly segmented OT deployments as urgent until proven otherwise.

Researcher notes

Do not assume active exploitation from this bundle alone. The strongest confirmed signals are unauthenticated remote command execution, CVSS 10.0, affected Phoenix Contact products, CISA advisory references, and a public Exploit-DB entry. The bundle does not provide patch details.

Mitigation direction

  • Check Phoenix Contact and CISA advisory guidance for supported fixes or mitigations.
  • Remove affected interfaces from internet and untrusted network exposure.
  • Restrict access to trusted engineering workstations and OT management networks.
  • Use network allowlisting or segmentation where operationally safe.
  • Review compensating controls with operations before changing ICS connectivity.

Validation and detection

  • Inventory environments for Phoenix Contact ProConOs and MultiProg deployments.
  • Confirm whether affected services are reachable from non-engineering networks.
  • Review firewall, VPN, and remote-access paths into OT segments.
  • Look for protocol access attempts from unexpected hosts.
  • Validate any vendor-recommended update or mitigation in a test environment first.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-306: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2014-9195 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (2.0)
Known Exploited
No
Published

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 2.0CriticalAV:N/AC:L/Au:N/C:C/I:C/A:C1010Primary CVE score

Vulnerability scoring details

Base CVSS 2.0 score

10Critical
CVSS 2.0 vector shape for CVE-2014-9195Access VectorAccess ComplexityAuthenticationConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector
NetworkAdjacentLocal
Access Complexity
LowMediumHigh
Authentication
NoneSingleMultiple
Confidentiality Impact
CompletePartialNone
Integrity Impact
CompletePartialNone
Availability Impact
CompletePartialNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Phoenix ContactProConOsAll versionsunaffected
Phoenix ContactMultiProgAll versionsunaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-306 · source CWE mapping

Missing Authentication for Critical Function

Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.